b'                         U.S. Department of Agriculture\n                            Office of Inspector General\n                            Financial Audit Operations\n\n\n\n\n  Statement on Auditing Standards No. 70\nReport on the National Information Technology\n       Center General Controls Review\n\n\n\n\n                                      Report 88501-14-FM\n                                         September 2010\n\x0c                               U.S. Department of Agriculture\n                                Office of Inspector General\n                                  Washington, D.C. 20250\n\n\n\nDATE:         September 2, 2010\n\n\nREPLY TO\nATTN OF:      88501-14-FM\n\nTO:           Christopher L. Smith\n              Chief Information Officer\n              Office of the Chief Information Officer\n\nATTN:         Sherry Linkins\n              Office of the Chief Information Officer\n              Information Resources Management\n\nFROM:         Gil H. Harden /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Statement on Auditing Standards No. 70 Report on the National Information\n              Technology Center General Controls Review\n\n\nThis report presents the results of our Statement on Auditing Standards (SAS) No. 70 audit at the\nOffice of the Chief Information Officer/National Information Technology Center (OCIO/NITC)\nas of June 30, 2010. The audit was conducted in accordance with Government Auditing\nStandards issued by the Comptroller General of the United States and the American Institute of\nCertified Public Accountants Standards that are commonly referred to as a SAS No. 70 audit.\nThis report contains an unqualified opinion on the general control environment and does not\ncontain recommendations. The projection of any conclusions based on our audit findings to\nfuture periods are subject to the risk that changes may alter the validity of such conclusions.\nThis report is intended solely for the management of OCIO/NITC, its customer agencies, and\ntheir auditors.\n\nWe appreciate the courtesies and cooperation extended to us during this review.\n\x0cTable of Contents\n\nExecutive Summary.................................................................................. 1\nIndependent Auditors\xe2\x80\x99 Report ................................................................. 2\nAbbreviations Used in This Report ......................................................... 4\n\x0cExecutive Summary\nStatement on Auditing Standards No. 70 Report on the National Information\nTechnology Center General Controls Review (Report 88501-14-FM)\n\nResults in Brief\nThis report presents the results of our Statement on Auditing Standards No. 70 audit of the\nOffice of the Chief Information Officer/National Information Technology Center\xe2\x80\x99s\n(OCIO/NITC) internal controls as of June 30, 2010. Our review was conducted in accordance\nwith Government Auditing Standards issued by the Comptroller General of the United States\nincluding American Institute of Certified Public Accountants Professional Standards as amended\nby applicable statements on auditing standards.\n\nOur objectives were to perform procedures necessary to express opinions about whether (1)\nOCIO/NITC\xe2\x80\x99s description of controls in exhibit A presents fairly, in all material respects, the\naspects of OCIO/NITC\xe2\x80\x99s controls that may be relevant to a customer agency\xe2\x80\x99s internal control as\nit relates to an audit of financial statements; (2) the controls included and/or referenced were\nplaced in operation and suitably designed to achieve the control objectives specified in the\ndescription, if those controls were complied with satisfactorily and customer agencies applied the\ncontrols contemplated in the design of OCIO/NITC\xe2\x80\x99s controls; and (3) the controls we tested\nwere operating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified were achieved during the period from July 1, 2009, through\nJune 30, 2010.\n\nOur audit disclosed that the control objectives and techniques identified in exhibit A presented\nfairly, in all material respects, the relevant aspects of OCIO/NITC\xe2\x80\x99s controls. Also, in our\nopinion, the controls included in the description were suitably designed and operating with\nsufficient effectiveness to provide reasonable assurance that associated control objectives would\nbe achieved if the described policies and procedures were complied with satisfactorily and\ncustomer agencies applied the controls specified in the OCIO/NITC description of controls.\n\n   Recommendation Summary\n   We do not make any recommendations in this report.\n\n\n\n\nReport 88501-14-FM                                                                           1\n\x0cIndependent Auditors\xe2\x80\x99 Report\nTo:    Christopher L. Smith\n       Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the accompanying description of controls, referenced in exhibit A, related to\nthe U.S. Department of Agriculture\xe2\x80\x99s Office of the Chief Information Officer/National\nInformation Technology Center (OCIO/NITC). Our examination included procedures to obtain\nreasonable assurance about whether (1) the accompanying description presents fairly, in all\nmaterial respects, the aspects of OCIO/NITC\xe2\x80\x99s controls that may be relevant to a customer\nagency\xe2\x80\x99s internal control as it relates to an audit of financial statements; (2) the controls included\nin the description were suitably designed to achieve the control objectives specified in the\ndescription, if those controls were complied with satisfactorily and customer agencies applied the\ncontrols contemplated in the design of OCIO/NITC\xe2\x80\x99s controls; and (3) such controls had been\nplaced in operation as of June 30, 2010. OCIO/NITC uses the services of an alternate data center\nfacility, off-site media storage organization, hosting support services, and telecommunication\nservices. The accompanying description includes only those controls and related control\nobjectives of OCIO/NITC. Our examination did not extend to controls of the sub-service\norganizations noted above. The control objectives were specified by the management of\nOCIO/NITC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards established by the American Institute\nof Certified Public Accountants and included those procedures we considered necessary in the\ncircumstances to obtain a reasonable basis for rendering our opinion.\n\nIn our opinion, OCIO/NITC\xe2\x80\x99s description of controls in exhibit A of this report presents fairly, in\nall material respects, the relevant aspects of OCIO/NITC\xe2\x80\x99s controls that had been placed in\noperation as of June 30, 2010. Also, in our opinion, the controls, as described in exhibit A, are\nsuitably designed to provide reasonable assurance that the specified control objectives would be\nachieved if the described controls were complied with satisfactorily and customer agencies\napplied the controls contemplated in the design of OCIO/NITC\xe2\x80\x99s controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed in the\nprevious paragraph, we applied tests to specific controls, which are presented in exhibit B of this\nreport, to obtain evidence about their effectiveness in meeting the related control objectives\ndescribed in exhibit A during the period from July 1, 2009, through June 30, 2010. The specific\ncontrols and the nature, timing, extent, and results of our tests are listed in exhibit B. This\ninformation will be provided to customer agencies and their auditors to be taken into\nconsideration, along with information about the internal control at customer agencies, when\nmaking assessments of control risk for customer agencies. In our opinion, the controls that were\ntested, as described in exhibit B, were operating with sufficient effectiveness to provide\nreasonable, but not absolute, assurance that the control objectives specified in exhibit A were\nachieved during the period from July 1, 2009, through June 30, 2010.\n\n\n\nReport 88501-14-FM                                                                              2\n\x0cThe relative effectiveness and significance of specific controls at OCIO/NITC and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the\ncontrols and other factors present at individual customer organizations. We have performed no\nprocedures to evaluate the effectiveness of controls at individual customer agencies.\n\nThe description of controls at OCIO/NITC is as of June 30, 2010, and information about tests of\nthe operating effectiveness of specific controls covers the period from July 1, 2009, through\nJune 30, 2010. Any projection of such information to the future is subject to the risk that,\nbecause of change, the description may no longer portray the controls in existence. The potential\neffectiveness of specific controls at OCIO/NITC is subject to inherent limitations and,\naccordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any\nconclusions, based on our findings, to future periods is subject to the risk that (1) changes made\nto the system or controls, (2) changes in processing requirements, or (3) changes required\nbecause of the passage of time may alter the validity of such conclusions.\n\nThis report is intended solely for use by the management of OCIO/NITC, its users, and the\nindependent auditors of its users.\n\n\n\n\nGil H. Harden /s/\nAssistant Inspector General\n for Audit\n\nAugust 30, 2010\n\n\n\n\nReport 88501-14-FM                                                                           3\n\x0cAbbreviations Used in This Report\nC&A............................ Certification and Accreditation\nEIMS ........................... Enterprise Identity Management System\nID ................................ Identification\nIS ................................. Information System\nISS............................... Infrastructure Support System\nIT................................. Information Technology\nNIST............................ National Institute of Standards and Technology\nNITC ........................... National Information Technology Center\nOCIO........................... Office of the Chief Information Officer\nPIA .............................. Privacy Impact Assessment\nPOA&M...................... Plan of Action & Milestones\nRA ............................... risk assessments\nSSP.............................. System Security Plan\nSNCC .......................... System Network Control Center\nUSDA.......................... U.S. Department of Agriculture\n\n\n\n\nReport 88501-14-FM                                                                4\n\x0cThe subsequent sections of the report exhibit A (pages 5\nthrough 49) and exhibit B (pages 50 through 68), are not\nbeing publicly released due to the sensitive security\ncontent.\n\x0c'